Path Abuse in Cookies
- May 30, 2007
- Nicolas Derouet
- Firefox, SeaMonkey
- Fixed in
- Firefox 220.127.116.11
- Firefox 18.104.22.168
- SeaMonkey 1.0.9
- SeaMonkey 1.1.2
Nicolas Derouet reported two problems with
cookie handling in Mozilla clients. The first was that the
cookie path parameter was not subject to any length checks, and
this could be abused to cause the victim's browser to use excessive
amounts of memory while it was running as well as waste the disk
space used to store the cookie until it expired.
Cookies sent by an HTTP server are limited to a
reasonable size by the general limit on the size of an HTTP header,
document.cookie could have a path
of any length the script could create -- potentially several
tens of megabytes.
The second issue was that the cookie path and name values were not checked for the presence of the delimiter used for internal cookie storage, and if present this confused future interpretation of the cookie data. Since the cookie host continued to be set correctly there was very little that could be done that the site could not legitimately set in the first place. One exception was the ability for a non-secure site to create "secure" cookies (it still could not read them), which might be a problem on some sites. Other fields in the file could be faked, but scripts that could set cookies at all could generally set them anyway.